Bug 338208: SSL tests using FIPS140-2 softoken. r=julien
authorslavomir.katuscak%sun.com
Fri, 20 Jul 2007 08:28:10 +0000
changeset 7953 66d9cb69c5a73ce6e8b8f85bb19477bca0178b62
parent 7949 26960af5bfc88b445b2a1e0cb3fe443bffe4e1d6 (current diff)
parent 7952 b4209f9b57850f320613886a66aac9cacc3d145d (diff)
child 7954 cc535fbe34620dd757487a167939cccc1720fc42
push idunknown
push userunknown
push dateunknown
reviewersjulien
bugs338208
Bug 338208: SSL tests using FIPS140-2 softoken. r=julien
security/nss/tests/ssl/ssl.sh
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -284,21 +284,26 @@ ssl_cov()
   mixed=0
   start_selfserv # Launch the server
                
   p=""
 
   while read ectype tls param testname
   do
       p=`echo "$testname" | sed -e "s/_.*//"`   #sonmi, only run extended test on SSL3 and TLS
+
+      echo "$testname" | grep EXPORT > /dev/null 2>&1 
+      exp=$?
       
       if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "$p" = "SSL2" -o "$exp" -eq 0 ] && [ "$BYPASS_STRING" = "Server FIPS" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "$ectype" != "#" ] ; then
           echo "$SCRIPTNAME: running $testname ----------------------------"
           TLS_FLAG=-T
           if [ "$tls" = "TLS" ]; then
               TLS_FLAG=""
           fi
 
 # These five tests need an EC cert signed with RSA
@@ -396,16 +401,18 @@ ssl_stress()
           # silently ignore blank lines
           continue
       fi
       p=`echo "$testname" | sed -e "s/Stress //" -e "s/ .*//"`   #sonmi, only run extended test on SSL3 and TLS
       if [ "$p" = "SSL2" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
+      elif [ "$p" = "SSL2" -a "$BYPASS_STRING" = "Server FIPS" ] ; then
+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "$ectype" != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
 
 # These tests need the mixed cert 
 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
 # Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
           p=`echo "$sparam" | sed -e "s/\(.*\)\(-c_:C0..\)\(.*\)/\2/"`;
           if [ "$p" = "-c_:C00E" ]; then
@@ -771,16 +778,52 @@ ssl_run()
     R_CLIENTDIR=$ORIG_R_CLIENTDIR
     P_R_SERVERDIR=$ORIG_P_R_SERVERDIR
     P_R_CLIENTDIR=$ORIG_P_R_CLIENTDIR
     USER_NICKNAME=TestUser
     NORM_EXT=
     cd ${QADIR}/ssl
 }
 
+############################ ssl_set_fips ##############################
+# local shell function to set FIPS mode on/off
+########################################################################
+ssl_set_fips()
+{
+    DBDIR=$1
+    FIPSMODE=$2
+    TESTNAME=$3
+    MODUTIL="modutil"
+
+    if [ "${FIPSMODE}" = "true" ] ; then
+        RET_EXP=0
+    else
+        RET_EXP=1
+    fi
+
+    echo "${SCRIPTNAME}: ${TESTNAME}"
+
+    echo "${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force"
+    ${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1
+    RET=$?  
+    html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \
+             "produced a returncode of ${RET}, expected is 0"
+
+    echo "${MODUTIL} -dbdir ${DBDIR} -list"
+    DBLIST=`${MODUTIL} -dbdir ${DBDIR} -list 2>&1`
+    RET=$?  
+    html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \
+             "produced a returncode of ${RET}, expected is 0"
+
+    echo "${DBLIST}" | grep "FIPS PKCS #11"
+    RET=$?
+    html_msg "${RET}" "${RET_EXP}" "${TESTNAME} (grep \"FIPS PKCS #11\")" \
+             "produced a returncode of ${RET}, expected is ${RET_EXP}"
+}
+
 ################## main #################################################
 
 #this script may be sourced from the distributed stress test - in this case do nothing...
 
 CSHORT="-c ABCDEF:0041:0084cdefgijklmnvyz"
 CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:0041:0084cdefgijklmnvyz"
 
 if [ -z  "$DO_REM_ST" -a -z  "$DO_DIST_ST" ] ; then
@@ -824,15 +867,35 @@ if [ -z  "$DO_REM_ST" -a -z  "$DO_DIST_S
         if [ -z "$NSS_TEST_DISABLE_BYPASS" -a -z "$NSS_TEST_DISABLE_SERVER_BYPASS" ] ; then
             SERVER_OPTIONS="-B -s"
             CLIENT_OPTIONS=""
             BYPASS_STRING="Server Bypass"
             ssl_run
         else
             echo "$SCRIPTNAME: Skipping Cipher Coverage - Server Bypass Tests"
         fi
+
+        if [ -z "$NSS_TEST_DISABLE_FIPS" ] ; then
+            CLIENT_OPTIONS=""
+            SERVER_OPTIONS=""
+            BYPASS_STRING="Server FIPS"
+
+            html_head "SSL - FIPS mode on"
+            ssl_set_fips "${SERVERDIR}" "true" "Turning FIPS on for the server"
+            ssl_set_fips "${EXT_SERVERDIR}" "true" "Turning FIPS on for the extended server" 
+            html "</TABLE><BR>"
+
+            ssl_run
+
+            html_head "SSL - FIPS mode off"
+            ssl_set_fips "${SERVERDIR}" "false" "Turning FIPS off for the server"
+            ssl_set_fips "${EXT_SERVERDIR}" "false" "Turning FIPS off for the extended server"
+            html "</TABLE><BR>"
+        else
+            echo "$SCRIPTNAME: Skipping Cipher Coverage - FIPS Tests"
+        fi
     else
         echo "$SCRIPTNAME: Skipping Cipher Coverage Tests"
     fi
 
     ssl_iopr_run
     ssl_cleanup
 fi